Numerous techniques are known for providing secure access to protected resources. One widely-used approach involves the use of one-time passcode (OTP) devices such as hardware authentication tokens. Authentication tokens are typically implemented as small, hand-held devices that display a series of passcodes over time. A user equipped with such an authentication token reads the currently displayed passcode and enters it into a computer or other element of an authentication system as part of an authentication operation. This type of dynamic passcode arrangement offers a significant security improvement over authentication based on a static password.
Conventional authentication tokens include both time-synchronous and event-synchronous tokens.
In a typical time-synchronous token, the displayed passcodes are based on a secret value and the time of day. A verifier with access to the secret value and a time of day clock can verify that a given presented passcode is valid. The secret value is an example of what is more generally referred to herein as a “key.”
One particular example of a time-synchronous authentication token is the RSA SecurID® user authentication token, commercially available from RSA, The Security Division of EMC Corporation, of Bedford, Mass., U.S.A.
Event-synchronous tokens generate passcodes in response to a designated event, such as a user pressing a button on the token. Each time the button is pressed, a new passcode is generated based on a secret value and an event counter. A verifier with access to the secret value and the current event count can verify that a given presented passcode is valid.
Many authentication systems are configured to require that a user enter a personal identification number (PIN) or other static access code in addition to entering the passcode from the authentication token. This provides an additional security factor, based on something the user knows, thereby protecting against unauthorized use of an authentication token that is lost or stolen. Such an arrangement is generally referred to as two-factor authentication, in that authentication is based on something the user has (e.g., the authentication token) as well as something the user knows (e.g., the PIN).
Passcodes generated by authentication tokens can also be used as secure service credentials in order to allow service technicians to access storage arrays and other processing equipment for any repairs, tests, upgrades, or other service operations that may need to be performed after such equipment is deployed in the field. However, in this secure service access context, issues of key management become increasingly important. For example, a single key may be replicated on multiple storage arrays such that each of the storage arrays can support service technician access control based on passcodes generated using that same key. Such an arrangement is often desirable in that service technicians responsible for servicing a large number of storage arrays deployed in the field will need to keep track of fewer passcodes, but unfortunately it also creates a “break once, run anywhere” vulnerability in that an attacker who is able to compromise one of the storage arrays can then access any of the other storage arrays that share the same key.
These and other drawbacks of conventional practice are addressed in U.S. patent application Ser. No. 13/629,771, filed Sep. 28, 2012 and entitled “Protected Resource Access Control Utilizing Intermediate Values of a Hash Chain,” which is commonly assigned herewith and incorporated by reference herein. Illustrative embodiments disclosed therein provide secure access to protected resources by utilizing intermediate values of at least one hash chain as respective access credentials. Arrangements of this type facilitate service technician access to storage arrays and other deployed processing equipment while also avoiding the above-noted “break once, run anywhere” vulnerability.
Despite the considerable advances provided by the techniques of the above-cited patent application, a need remains for further improvements in providing secure access to protected resources.